You can start, manage, and add details to investigations on the Investigations page. View or filter the investigations assigned to you, or create one. You can view all investigations that you collaborate on using the Investigations page. Enterprise Security admins can also view and manage all investigations that exist in Splunk Enterprise Security. For information for admins, see Manage investigations in Splunk Enterprise Security in Administer Splunk Enterprise Security.

As an analyst, you only see investigations assigned to you unless you also have been granted the capability to manage all investigations.

Manage your investigations

Manage ongoing investigations from the Investigations page. You can see the titles, descriptions, time created, last modified time, and collaborators on the investigations assigned to you. If you have the capability to manage all investigations, you can see all the same details for all investigations, not just the investigations that you collaborate on.

Find an investigation or refine the list of investigations by filtering. Type in the Filter box to search the title and description fields of investigations.

Example investigation workflow

You are notified of a security incident that needs investigation through a notable event, an alert action, or an email, ticket from the help desk, or a phone call.

Create an investigation in Splunk Enterprise Security.

Add colleagues to the investigation as collaborators.

Open the investigation and start investigating on the workbench.

Add artifacts to the investigation scope, in addition to those added automatically from notable events.

Review the tabs and panels for information relevant to your investigation, such as additional affected assets or details about the affected assets that can accelerate your investigation.

As you investigate, add helpful or insightful events, actions, and artifacts to the investigation to record the steps you took in your investigation.

Run searches, adding useful searches to the investigation from your action history with the investigation bar or relevant events using event actions. This makes it easy to replicate your work for future, similar investigations, and to make a comprehensive record of your investigation process.

Filter dashboards to focus on specific elements, like narrowing down a swim lane search to focus on a specific asset or identity on the asset or identity investigator dashboards. Add insightful filtering actions from your action history to the investigation using the investigation bar.

Add notes to record other investigation steps, such as notes from a phone call, email or chat conversations, links to press coverage or social media posts. Upload files like screenshots or forensic investigation files.

Complete the investigation and close the investigation and optionally, close associated notable events.

Investigations in Splunk Enterprise Security

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »